Skip to content

Commit

Permalink
[JENKINS-32571] Preserve original security settings after calling Com…
Browse files Browse the repository at this point in the history 
…mandInvoker.invoke()
  • Loading branch information
@pjanouse
pjanouse committed Jan 28, 2016
1 parent 1665ddd commit 07e5d6a
Showing 1 changed file with 36 additions and 2 deletions.
38 changes: 36 additions & 2 deletions src/main/java/hudson/cli/CLICommandInvoker.java
View file
Expand Up @@ -29,8 +29,12 @@
import hudson.security.ACL;
import hudson.security.AuthorizationStrategy;
import hudson.security.Permission;
import hudson.security.SecurityRealm;
import hudson.security.SidACL;

import org.acegisecurity.context.SecurityContext;
import org.acegisecurity.context.SecurityContextHolder;

import java.io.ByteArrayOutputStream;
import java.io.InputStream;
import java.io.PrintStream;
Expand All @@ -44,6 +48,7 @@
import org.acegisecurity.acls.sid.PrincipalSid;
import org.acegisecurity.acls.sid.Sid;

import org.apache.maven.plugin.lifecycle.Execution;
import org.hamcrest.Description;
import org.hamcrest.TypeSafeMatcher;
import org.jvnet.hudson.test.JenkinsRule;
Expand All @@ -58,6 +63,9 @@ public class CLICommandInvoker {
private static final String username = "user";
private final JenkinsRule rule;
private final CLICommand command;
private SecurityRealm originalSecurityRealm = null;
private AuthorizationStrategy originalAuthorizationStrategy = null;
private SecurityContext originalSecurityContext = null;

private InputStream stdin;
private List<String> args = Collections.emptyList();
Expand Down Expand Up @@ -112,6 +120,8 @@ public Result invokeWithArgs(final String... args) {

public Result invoke() {

Result result;
Error executionError = null;
setAuth();

final ByteArrayOutputStream out = new ByteArrayOutputStream();
Expand All @@ -121,7 +131,11 @@ public Result invoke() {
args, locale, stdin, new PrintStream(out), new PrintStream(err)
);

return new Result(returnCode, out, err);
result = new Result(returnCode, out, err);

restoreAuth();

return result;
}

private static class GrantPermissions extends AuthorizationStrategy {
Expand Down Expand Up @@ -161,13 +175,33 @@ private void setAuth() {

JenkinsRule.DummySecurityRealm realm = rule.createDummySecurityRealm();
realm.addGroups(username, "group");

originalSecurityRealm = rule.jenkins.getSecurityRealm();
rule.jenkins.setSecurityRealm(realm);

originalAuthorizationStrategy = rule.jenkins.getAuthorizationStrategy();
rule.jenkins.setAuthorizationStrategy(new GrantPermissions(username, permissions));

command.setTransportAuth(user().impersonate());
// Otherwise it is SYSTEM, which would be relevant for a command overriding main:
ACL.impersonate(Jenkins.ANONYMOUS);
originalSecurityContext = ACL.impersonate(Jenkins.ANONYMOUS);
}

private void restoreAuth() {
if (originalSecurityRealm != null) {
rule.jenkins.setSecurityRealm(originalSecurityRealm);
originalSecurityRealm = null;
}

if (originalAuthorizationStrategy != null) {
rule.jenkins.setAuthorizationStrategy(originalAuthorizationStrategy);
originalAuthorizationStrategy = null;
}

if (originalSecurityContext != null) {
SecurityContextHolder.setContext(originalSecurityContext);
originalSecurityContext = null;
}
}

public User user() {
Expand Down

0 comments on commit 07e5d6a

Please sign in to comment.